b'   June 5, 2002\n\n\n\n\nInformation\nSystem Security\nArmy Web Site Administration,\nPolicies, and Practices\n(D-2002-098)\n\n\n\n\n              Department of Defense\n          Office of the Inspector General\n\nQuality              Integrity        Accountability\n\x0c  Copies\n\n  To obtain additional copies of this audit report, visit the Web site of the Inspector\n  General of the Department of Defense at www.dodig.osd.mil/audit/reports or\n  contact the Secondary Reports Distribution Unit of the Audit Followup and\n  Technical Support Directorate at (703) 604-8937 (DSN 664-8937) or fax\n  (703) 604-8932.\n\n  Suggestions for Future Audits\n\n  To suggest ideas for or to request future audits, contact the Audit Followup and\n  Technical Support Directorate at (703) 604-8940 (DSN 664-8940) or\n  fax (703) 604-8932. Ideas and requests can also be mailed to:\n\n                    OAIG-AUD (ATTN: AFTS Audit Suggestions)\n                    Inspector General of the Department of Defense\n                          400 Army Navy Drive (Room 801)\n                              Arlington, VA 22202-4704\n\n  Defense Hotline\n\n  To report fraud, waste, or abuse, contact the Defense Hotline by calling\n  (800) 424-9098; by sending an electronic message to Hotline@dodig.osd.mil; or by\n  writing to the Defense Hotline, The Pentagon, Washington, DC 20301-1900. The\n  identity of each writer and caller is fully protected.\n\n\n\n\nAcronym\n\nGILS                  Government Information Locator Service\n\x0c\x0c          Office of the Inspector General of the Department of Defense\nReport No. D-2002-098                                                         June 5, 2002\n   (Project No. D2001AB-0116.001)\n\n           Army Web Site Administration, Policies, and Practices\n\n                                    Executive Summary\n\nWho Should Read This Report and Why? Web site developers and administrators,\noperational security officers, public affairs officers, managers responsible for Web site\ncontent, and Web site users should read the reports in this series. Those involved with\nadministering or overseeing Web sites will want to make sure that their content is\nappropriate.\n\nBackground. This report is the second in a series that addresses DoD Internet\nadministration, policies, and practices. The first report addressed the Web site\nadministration, policies, and practices of the Air Force. A subsequent report will cover\nWeb site administration within the DoD. The Naval Audit Service issued a separate\naudit report on Web site administration within the Navy and the Marine Corps. The\n\xe2\x80\x9cDoD Web site Administration Policy and Procedures,\xe2\x80\x9d (the Policy) November 25, 1998,\nand updated April 26, 2001, describes procedures for establishing, operating, and\nmaintaining DoD unclassified Web sites. The Policy requires heads of DoD Components\nto establish a process to identify appropriate information for posting to Web sites and to\nreview all information placed on publicly accessible Web sites for security levels of\nsensitivity before the information is released. The Policy requires Components to\nestablish procedures for management oversight and review of Web sites and to provide\nnecessary resources to support Web site operations. The Policy also requires an annual\nsecurity assessment of Web sites.\n\nResults. The Army\xe2\x80\x99s publicly accessible Web sites contained inappropriate information,\nwhich was in contravention of Army Web Policy. As a result, potentially sensitive\nmatters and information were not adequately protected. The Army needs to revise its\npolicy for documenting and reporting review results, establish a system to resolve\ndiscrepancies, reconcile and verify its Web site inventory, establish a way to monitor the\nconsistency of the Army Web site review and approval process, establish an Army Web\nRisk Assessment Cell, establish annual operational security reviews of Web sites, and\nestablish a training requirement and curriculum for Army Web administration personnel.\n\nManagement Comments. The Army concurred with the recommendations. Its actions\nto establish the Army worldwide Intranet, consolidate Army National Guard and Army\nReserve servers, update its Web site administration policy, and determine the training\nrequirement for Web site administration personnel meet the intent of the\nrecommendations; therefore, no further comments are required.\n\x0cTable of Contents\n\nExecutive Summary                                             i\n\n\nIntroduction\n     Background                                              1\n     Objectives                                              2\n\nFinding\n     Army Internet Administration, Policies, and Practices   4\n\nAppendixes\n     A. Audit Process\n         Scope and Methodology                               14\n         Management Control Program Review                   14\n         Prior Audit Coverage                                15\n     B. Report Distribution                                  16\n\nManagement Comments\n     Department of the Army                                  17\n\x0cBackground\n    DoD Web Page Policy. The \xe2\x80\x9cDoD Web site Administration Policy and\n    Procedures,\xe2\x80\x9d (the Policy) December 7, 1998, and updated April 26, 2001,\n    describes procedures for establishing, operating, and maintaining DoD\n    unclassified Web sites. The Policy requires heads of DoD Components to\n    establish a process to identify appropriate information for posting to Web sites\n    and to review all information placed on publicly accessible Web sites for security\n    levels of sensitivity before the information is released.\n\n    In addition, the Policy requires Components to establish procedures for\n    management oversight and review of Web sites and to provide necessary\n    resources to support Web site operations, including funding, staffing, and\n    training. The Policy also requires an annual security assessment of Web sites to\n    ensure that information that could have a negative effect on U.S. military\n    operations or personnel is not available on publicly accessible Web sites.\n\n    Moreover, Components must register each publicly accessible Web site with the\n    Government Information Locator Service (GILS). The GILS helps citizens\n    identify, locate, and retrieve information about the Government. The GILS\n    resides on the Defense Link, which is the official Web site for DoD and the\n    starting point for finding military information online for defense policy,\n    organizations, functions, and operations.\n\n    The Policy defines a Web site as a collection of information that is organized into\n    a number of Web documents. The information is related to a common subject or\n    set of subjects and is linked to subordinate information that is included on a Web\n    page. A Home Page is the index or introductory document for a Web site. An\n    official DoD Web site is developed and maintained with command sponsorship,\n    approval, and editorial supervision over content.\n\n    DoD Oversight of Web Content. On February 25, 1999, the Secretary of\n    Defense approved the Joint Web Risk Assessment Cell plan to use Reserve assets\n    to conduct ongoing security and threat assessments of Components\xe2\x80\x99 publicly\n    accessible Web sites. The Joint Web Risk Assessment Cell is responsible for\n    analyzing data on DoD Web sites for information that poses potential or real\n    threats to ongoing operations and DoD personnel. Inappropriate data include For\n    Official Use Only, sensitive and classified information, and other information at\n    one or more sites that, when combined, would be sensitive or classified and\n    should not be released to the general public.\n\n    Army Policy on Web Sites. The Director of Information Systems for Command,\n    Control, Communications, and Computers serves as the Chief Information Officer\n    of the Army. Army Regulation 25-1, \xe2\x80\x9cArmy Information Management,\xe2\x80\x9d\n    February 15, 2000, states that Army organizations will assign a Web master who\n    will have technical control over updating each Web site\xe2\x80\x99s content and approving\n    information for public release. Prohibited information, which includes\n    information that is classified, For Official Use Only, protected under the Privacy\n    Act, exempted under the Freedom of Information Act, and draft policy\n\n\n                                         1\n\x0c    publications must not be made available to the general public. In addition,\n    Regulation 25-1 requires Army organizations that maintain Web sites to register\n    with the Army Home Page. The Army Home Page is used by Army organizations\n    and personnel to share information with Web users. Registration requires the\n    submission of official record information such as Web site title, Internet address,\n    major command, base location, point of contact, and other pertinent Web site\n    data. Regulation 25-1 also states that the Training and Doctrine Command will\n    formulate information management and information technology doctrine for the\n    Army, and in coordination with the Director of Information Systems for\n    Command, Control, Communications and Computers identify and analyze\n    information management training requirements, and update existing courseware.\n\n    The Office of the Director of Information Systems for Command, Control,\n    Communications, and Computers provided detailed guidance on Web site\n    administration in \xe2\x80\x9cGuidance for Management of Publicly Accessible U.S. Army\n    Web Sites,\xe2\x80\x9d November 30, 1998, which defines the responsibilities of Army\n    personnel in the establishment, and operation of Army Web sites. The guidance\n    provides that officials who operate Army Web sites must control the Web sites\xe2\x80\x99\n    contents so that they comply with policies, and must periodically reevaluate each\n    Web site under their control. Officials must ensure information posted on Web\n    sites is accurate, timely, represents the official Army position and is properly\n    cleared for public release. Additional prohibited information includes\n    copyrighted trademarks, logos, and links to inappropriate commercial Web sites.\n    Moreover, Army organizations that maintain Web sites must register with GILS\n    and also notify the Army Web site when changes occur to the registration\n    information.\n\n    Army Regulation on Public Affairs. Army Regulation 360-1, \xe2\x80\x9cThe Army\n    Public Affairs Program,\xe2\x80\x9d September 15, 2000, states that public affair offices and\n    security offices must review and approve DoD official information for public\n    release.\n    Army Regulation on Operations Security. Army Regulation 530-1 \xe2\x80\x9cOperations\n    Security,\xe2\x80\x9d March 3, 1995, prescribes policy and procedures for operational\n    security. Operations security is a process to protect and prevent the disclosure of\n    any information that may jeopardize U.S. Forces performing their mission.\n    Regulation 530-1 requires each Army organization to develop an Operations\n    Security Program to protect critical information. The program should include a\n    process to identify critical information, analyze threats and vulnerabilities, and\n    assess risks and countermeasures. In addition, each year, major commands must\n    submit a report on their programs to the Deputy Chief of Staff for Operations and\n    Plans, who is the Army proponent for operations security.\n\n\nObjectives\n    Our objective was to evaluate Army policies and practices for Web site\n    administration and oversight. Specifically, we reviewed how the Army hosts\n    official Web sites, how the Army registers and monitors Web sites for compliance\n\n\n                                         2\n\x0cwith policy, and how the Army safeguards sensitive information. We also\nevaluated the management control program as it related to the overall objective.\nSee Appendix A for a discussion of the audit scope and methodology, the\nmanagement control program, and prior audit coverage.\n\n\n\n\n                                    3\n\x0c           Army Internet Administration, Policies,\n           and Practices\n           The Army had publicly accessible Web sites that contained inappropriate\n           information, which was in contravention of Army Web Policy. This\n           condition occurred because:\n\n           \xe2\x80\xa2   Army organizations did not employ consistent approval processes for\n               reviewing information displayed on publicly accessible Web sites, and\n               did not conduct periodic policy compliance and annual security\n               reviews of publicly accessible Web sites;\n\n           \xe2\x80\xa2   the Director of Information Systems for Command, Control,\n               Communications and Computers did not coordinate with the Training\n               and Doctrine Command to identify and implement training and\n               curriculum requirements for Web administration personnel; and\n\n           \xe2\x80\xa2   the Director of Information Systems for Command, Control,\n               Communications and Computers did not provide oversight and was\n               not aware of all publicly accessible Army Web sites.\n\n           As a result, potentially sensitive matters and information were not\n           adequately protected.\n\n\nInformation on Army Public Web Sites\n    Joint Web Risk Assessment Cell Review of Army Web Sites. The Joint Web\n    Risk Assessment Cell conducts ongoing security and threat assessments of DoD\n    Components\xe2\x80\x99 publicly accessible Web sites. The Joint Web Risk Assessment\n    Cell is responsible for analyzing data for information that poses threats to ongoing\n    DoD operations or personnel and that should not be released to the general public.\n    From June 2001 through August 2001, the Joint Web Risk Assessment Cell\n    identified 77 publicly accessible Web sites that contained inappropriate\n    information. The types of information identified on the Web sites were\n    operational plans, personal information, policies and procedures on military\n    operations, and documents marked For Official Use Only.\n\n               Types Of Inappropriate Information On Army Web Sites\n\n                                                         Number of Web\n               Types of Information                       Sites Affected\n               Personal Information                             4\n               For Official Use Only                          11\n               Operational Plans                              14\n               Policies and Procedures on\n                Military Operations                           48\n                 Total                                        77\n\n\n                                         4\n\x0c    DoD IG Web Site Reviews. We performed in-depth reviews of Web site\n    administration at the Army Forces Command, the Army Training and Doctrine\n    Command, and 11 subordinate organizations. Through the Internet, we identified\n    Web sites under the control of both commands that contained information\n    prohibited by Army Web policy. For example, Forces Command organizations\n    that we reviewed had Web sites that identified birth dates, family information,\n    personal e-mail addresses, new equipment fielded, exercise data, or inappropriate\n    links to commercial sites. The Army Training and Doctrine Command\n    organizations that we reviewed also had Web sites that contained birth dates,\n    family information, or inappropriate language. We provided each organization\n    reviewed with the inappropriate information and were told by the officials that it\n    would be removed.\n\n    The Army had publicly accessible Web sites that contained inappropriate\n    information, which contravenes DoD Policy and Army Web policy and guidance\n    and that should not be made available to the public. Web sites must be\n    informative and contain only information that is appropriate for posting. The\n    Army must prevent the disclosure of sensitive movements of military assets or\n    personnel; locations of units, installations, or personnel; personal information\n    protected under the Privacy Act; copyright information; trademarks and logos;\n    and classified information on Army publicly accessible Web sites. In addition,\n    information on Army Web sites must be accurate, timely, represent the official\n    Army position, and must not have a negative effect on Army personnel and\n    operational security.\n\n\nApproval Process for Releasing Information\n    Although the November 30, 1998, Army guidance for managing publicly\n    accessible Web sites and Army Regulation 360-1 require that all information\n    posted to a Web site should be reviewed for appropriateness by the security and\n    the public affairs offices, the 2 major commands and 11 subordinate organizations\n    that we visited had inconsistent approval processes for releasing and publishing\n    information on Web sites. The Forces Command requires public affairs offices to\n    control the content of Web sites, and the Training and Doctrine Command\n    provides that public affairs offices and staff judge advocate offices, when\n    requested, will review material prior to posting to publicly accessible Web sites.\n\n    Army Forces Command. Forces Command policy, June 18, 2001, \xe2\x80\x9cWorld Wide\n    Web Policy 25-01-2,\xe2\x80\x9d requires that the public affairs offices review and approve\n    all information posted to the Forces Command and subordinate commands\xe2\x80\x99 Web\n    sites. The Office of Public Affairs is the approval authority for the release of\n    information to the general public. The Office of Public Affairs and the\n    Information Management Directorate reviewed and approved the release of\n    information posted on the Forces Command Web site. The three subordinate\n    organizations visited--the Reserve Command, the I Corps, and the Fifth Army--\n    inconsistently followed the Forces Command\xe2\x80\x99s policy.\n\n\n\n                                        5\n\x0c       Army Reserve Command. The Office of Public Affairs operated the\nReserve Command\xe2\x80\x99s Web site and reviewed and approved information posted on\nits Web site. One of the subordinate organizations, the 94th Regional Support\nCommand, maintained a Web site operated by its Office of Public Affairs.\nHowever, the Office of Public Affairs did not review subordinate organizations\xe2\x80\x99\nWeb sites unless the Web page was hosted on the 94th Web site or if the\norganization requested a review. Another subordinate organization, the\n70th Regional Support Command, stated that its Office of Public Affairs reviewed\nand approved information posted to its Web site and for subordinate units\xe2\x80\x99 Web\nsites when the Web sites were first initiated, but it did not review and approve\nsubsequent information posted.\n\n       I Corps. At I Corps, the Office of Public Affairs, the Office of the Staff\nJudge Advocate, and the Directorate of Information Management reviewed and\napproved information posted on the I Corps and subordinate units\xe2\x80\x99 Web sites\nwhen the Web sites were first initiated but did not review and approve subsequent\ninformation posted.\n\n        Fifth Army. The Fifth Army Office of Public Affairs is the approval\nauthority for the release of information and operates the Fifth Army Web site.\nHowever, the Office of Public Affairs did not review and approve information on\nsubordinate units\xe2\x80\x99 Web sites at initiation and did not review and approve updates\nunless the Web page was hosted on the Fifth Army Web site.\n\nTraining and Doctrine Command. Training and Doctrine Command\nRegulation 25-70, July 7, 2000, \xe2\x80\x9cNetwork Services,\xe2\x80\x9d provides that public affairs\noffices and staff judge advocate offices, when requested, will review material\nbefore it is posted to publicly accessible Web sites.\n\nThe Training and Doctrine Command Web site was reviewed and approved by the\npublic affairs office and the staff judge advocate office only when requested. The\nArmy Chaplain School obtained public affairs approval for all information posted\non its Web site. The Army Finance School, the Recruiting and Retention School,\nand the Soldier Support Institute obtained public affairs review and approval for\nmajor updates to their Web sites. The Adjutant General School did not obtain\napproval because most changes were updates only. The Cadet Command Web\nsite was reviewed and approved by the public affairs office and the staff judge\nadvocate office only when requested.\n\nThe approval process for posting information on Web sites is necessary to ensure\nthat only properly cleared information is released to the general public on Army\nWeb sites. Although Web policy is the responsibility of the Director for\nInformation Systems for Command, Control, Communications, and Computers,\nthe release of information is the responsibility of the Chief of Public Affairs.\nAccordingly, the Chief of Public Affairs, in coordination with the Director of\nInformation Systems for Command, Control, Communications, and Computers,\nmust establish an oversight mechanism to monitor whether Army organizations\nare using consistent procedures for reviewing and approving all information\nposted to Web sites.\n\n\n\n\n                                    6\n\x0cPeriodic Policy Compliance and Annual Security Reviews\n    The DoD Policy requires annual security reviews of Web sites, but the Army\n    guidance for management of public Web sites requires periodic policy\n    compliance reviews of Web sites to evaluate compliance. In addition, Army\n    Regulation 530-1 requires Army organizations to develop an Operations Security\n    Program to protect critical information, conduct an annual review of the\n    Operations Security Program, and report the results to the Deputy Chief of Staff\n    for Operations and Plans. However, the 2 major commands and\n    11 subordinate organizations that we visited inconsistently performed security\n    and policy compliance reviews.\n\n    Army Forces Command. Officials at the Forces Command stated that they\n    periodically performed policy compliance reviews of their Web site without\n    documenting the results; however, they did not perform an annual security\n    review. In addition, officials stated that they did not perform periodic policy\n    compliance reviews or annual security reviews of subordinate command Web\n    sites, including the Reserve Command, the I Corps, and the Fifth Army because\n    that responsibility rests with each organization that operates an official Web site.\n\n            Army Reserve Command. Officials at the Reserve Command\n    periodically reviewed Reserve Command Web sites for compliance with policy\n    and notified Web masters of needed correction. In August 2001, an operational\n    security review performed on 90 Web sites showed that 20 percent of the Web\n    sites were in violation. On July 5, 2001, an operational security review was\n    performed on the Reserve Web site; however, officials stated that they did not\n    perform annual security reviews of their subordinate units\xe2\x80\x99 Web sites. Two\n    subordinate organizations, the 70th and 94th Regional Support Commands, did\n    not conduct periodic policy compliance reviews and annual security reviews of\n    their Web sites or their subordinate units\xe2\x80\x99 Web sites due to resource constraints.\n\n            I Corps and Fifth Army Commands. The I Corps and the Fifth Army\n    Commands did not conduct periodic policy compliance reviews and annual\n    security reviews of their Web sites or their subordinate units\xe2\x80\x99 Web sites because\n    of resource constraints.\n\n    Training and Doctrine Command. Officials at the Training and Doctrine\n    Command and the subordinate Cadet Command did not conduct periodic policy\n    compliance reviews and annual security reviews of their Web sites or subordinate\n    organizations\xe2\x80\x99 Web sites because of resource constraints. The Adjutant General\n    School, the Army Finance School, and the Recruiting and Retention School also\n    did not conduct periodic policy compliance reviews and annual security reviews\n    of their Web sites because of resource constraints. The Soldier Support Institute\n    stated that it performed periodic policy compliance reviews and quarterly\n    operation security reviews but did not document the reviews. Only the Army\n    Chaplain School performed documented annual security reviews in September\n    1999, 2000, and 2001 using the Army Operational Security Checklist for Publicly\n    Accessible Web sites. The checklist assists reviewers in assessing operational\n    security vulnerabilities and determining whether Web policy is being properly\n    implemented for their publicly accessible Web sites. The 1999 review performed\n\n\n                                          7\n\x0c    by the Office of Public Affairs and the Chaplain School Webmaster identified and\n    corrected six instances where inappropriate information was posted or where\n    required information, such as a Privacy statement, was missing from the Web site.\n    The 2000 review identified no deficiencies. The 2001 review identified and\n    corrected four instances of inappropriately posted information.\n\n    Security Reviews after September 11, 2001. After the terrorist attacks on\n    September 11, 2001, the Forces Command reviewed its Web site for operational\n    security information and made necessary corrections. Officials stated that they\n    also plan to review subordinate organizations\xe2\x80\x99 Web sites for operational security\n    information. The Chief, Army Reserve Command issued a memorandum dated\n    September 20, 2001, that requires all subordinate units to perform an operational\n    security review of their Web sites, make needed changes, and submit the sanitized\n    Web site to the Reserve Command for final review and approval. The Reserve\n    Command Web site was also reviewed for operational security after the attack.\n    The Training and Doctrine Command Emergency Operations Center issued a\n    tasking to review all public communications, including Web pages, to ensure that\n    operational security information is not released in public forums.\n\n    Major commands must evaluate each Web site under their control for compliance\n    with Army policy and to protect operational security. Both periodic policy\n    compliance reviews and annual security reviews are a necessary part of Web site\n    administration to prevent information that could affect operational security from\n    being posted on publicly accessible Army Web sites. Army Web Administration\n    policy requires periodic policy compliance reviews but does not require annual\n    security reviews of Web sites. Also, Army Policy does not require the results to\n    be written or a followup system to resolve identified potential inappropriate\n    postings.\n\n    The Director for Information Systems for Command, Control, Communications,\n    and Computers must revise the Army Web administration guidance to require\n    documented periodic policy compliance reviews of publicly accessible Web sites\n    and a followup system to resolve discrepancies concerning operational and other\n    issues identified during the reviews. The Deputy Chief of Staff for Operations\n    and Plans must ensure that major commands\xe2\x80\x99 operational security personnel\n    perform independent, annual operational security reviews of Web sites as part of\n    the Operational Security Program and annual Operational Security Report.\n\n\nTraining of Web Administration Personnel\n    Web Administration Training. Army Regulation 25-1 requires that the\n    Training and Doctrine Command formulate information management and\n    information technology doctrine for the Army, and in coordination with the\n    Director of Information Systems for Command, Control, Communications, and\n    Computers identify and analyze information management training requirements,\n    and update existing courseware. The Training and Doctrine Command officials\n    indicated that they had not developed training requirements and course material\n    for Web administration personnel.\n\n\n\n                                        8\n\x0c            Forces Command. The Forces Command did not have a training\n    requirement and did not provide Web administration personnel with training on\n    Web site administration. However, the Forces Command Web page did provide\n    guidance on Web site issues, including Web procedures. The Army Reserve\n    Command, the Fifth Army and the 94th Reserve Support Command did not offer\n    policy training to their Web administrators. The 70th Reserve Support Command\n    developed a training course on Web site policy that included Web Administrator\n    responsibilities and publishing guidelines. The I Corps developed a Web\n    Administrator policy course that included responsibilities of Web administration\n    personnel and identified types of prohibited information. The\n    I Corps also provided links to Web policy and guidance at its Web site.\n\n            Training and Doctrine Command. The Training and Doctrine\n    Command did not provide its organizations with training on Web administration;\n    however, it did provide access to DoD, Army, and Training and Doctrine\n    Command Web policies. Web administrators must receive training in Web site\n    administration policy so that Web administration personnel are cognizant of\n    guidance and requirements for Web site administration. Trained personnel\n    provide an additional assurance that information on publicly accessible Web sites\n    is appropriate for public viewing.\n\n    Air Force Lessons Learned. Our review of the Air Force Web administration\n    identified that the Air Force Communications Agency was developing a\n    computer-based training course for Web masters and other Web administration\n    personnel. The course includes a 4-hour session with a 1-hour review, followed\n    by questions that must be answered with a 70-percent correct score for successful\n    completion of the course. Instruction topics include Web administration, roles of\n    personnel, the Web server, system security, Web site establishment, page design,\n    and the collection of information. The training will enable participants to perform\n    essential Internet administration tasks and manage the enterprise in a secure\n    manner.\n\n    The Director of Information Systems for Command, Control, Communications,\n    and Computers must coordinate with the Training and Doctrine Command to\n    establish an Army Web administration training requirement and curriculum. All\n    personnel should complete the training before being assigned Web duties. The\n    Director for Information Systems for Command, Control, Communications, and\n    Computers should request the Training and Doctrine Command use the already\n    developed Air Force training as a starting point for an Army training and\n    education program in Web administration.\n\n\nArmy Web Site Inventory\n    The number of publicly accessible Army Web sites is unknown. Army policy\n    requires registration of publicly accessible Web sites in the GILS and with the\n    Army Home Page. Listings of Army Web sites accessible to the general public as\n    shown on the Army Home Page were different than those registered in GILS. As\n    of December 11, 2001, 459 Army Web sites were listed on the Army Home Page.\n\n\n\n                                         9\n\x0c    The GILS contained 374 Army listings. Only 43 were listed at both sites with the\n    remainder listed either in GILS (331) or on the Army Home Page (416).\n\n    Although Web sites are required to be registered in both the Army Home Page\n    and GILS, there is no requirement for both listings to be identical and up-to-date.\n    Annually, major commands should correct the information in both listings and\n    report discrepancies. Command oversight and identical registration will ensure\n    that Army officials have a listing of all publicly accessible Web sites so that when\n    changes to policy occur, the changes can be disseminated to Web officials; when\n    training requirements are established, training can be planned and taken; and\n    when commands perform periodic policy and annual security reviews, they will\n    be able to analyze all publicly accessible sites. The Director for Information\n    Systems for Command, Control, Communications, and Computers should revise\n    Army Web Administration policy to require periodic reviews to reconcile Web\n    site registration between the Army Home Page and GILS.\n\n\nMonitoring Army Web Sites\n    The Army had not established a Web Risk Assessment Cell. Both the Air Force\n    and the Navy have Web Risk Assessment Cells operated by reservists, which\n    supplement the Joint Web Risk Assessment Cell. The Army Web Risk\n    Assessment Cell could be responsible for vulnerability analyses and threat\n    assessments of the content on Army Web sites. In addition, the Web Risk\n    Assessment Cell could analyze content and data of Army Web sites, and review\n    cross-sectional Web information, trend analysis, and aggregate data that could\n    pose a threat to ongoing operations or personnel. Also, the Web Risk Assessment\n    Cell could review Army Web sites for compliance with Army instructions,\n    recognize and report vulnerabilities at one or more Web sites, and notify officials\n    of the results. The Director for Information Systems for Command, Control,\n    Communications, and Computers should establish a separate Web Risk\n    Assessment Cell to facilitate reviews of Web sites for potential inappropriate\n    information.\n\n\nSummary\n    The GILS was established to help citizens identify, locate, and retrieve\n    information about the Government. Web sites must be informative and contain\n    only information appropriate for posting. To achieve this, managers who are\n    responsible for Web administration, including posting information on Web sites,\n    must be aware of the policy and process for establishing and revising Web sites,\n    and appropriate Web page content. Information must be approved for public\n    release. Training in Web site administration is a first step to safeguarding\n    sensitive information along with establishing an oversight Web Risk Assessment\n    Cell. In addition, performing periodic policy compliance reviews and annual\n    security reviews of Web sites is imperative so that only appropriate information is\n    posted. Further, a listing of Web administrators and Web sites that are\n    consistently reported in DoD and Army databases will help facilitate the\n\n\n                                         10\n\x0c           distribution of new policy, assist in the oversight of known public Web sites, and\n           ensure training of appropriate officials. All of those steps will help prevent the\n           disclosure of sensitive movements of military assets or personnel; locations of\n           units, installations, or personnel; personal information protected under the Privacy\n           Act; copyright information; trademarks and logos; and classified information on\n           Army publicly accessible Web sites.\n\n\nManagement Actions in Response to the Report\n           The Director of Enterprise Integration, Office of the Director of Information\n           Systems for Command, Control, Communications, and Computers1 provided the\n           Army response. She stated that the Army has made progress in resolving many of\n           the findings and recommendations that we identified in our report. Web content\n           violations are being alleviated through the Army\xe2\x80\x99s strategy to improve business\n           practices. Specifically, the Army has established the Army worldwide Intranet\n           and single portal for the Army to conduct its business operations. Army\n           organizations are moving their business information and applications to the\n           security of the Army Intranet and removing the data from public Web pages. The\n           Army also plans to consolidate all the Army servers including those of the\n           National Guard and the Reserve. Control of the servers will be through three\n           regional centers under the direct control of the Chief Information Officer, G-6.\n           Additionally, Web policy was promulgated, formal management controls were\n           developed, and an Army Web Risk Assessment Cell was created to strengthen\n           Army Web site administration.\n\n\n\n\n1\n    The Director of Information Systems is now called the Chief Information Officer, G-6.\n\n\n\n                                                      11\n\x0cRecommendations, Management Comments and Audit\n  Response\n    1. We recommend that the Director for Information Systems for Command,\n    Control, Communications, and Computers:\n\n            a. Revise policy to require major commands to document periodic\n    policy compliance reviews of publicly accessible Web sites, report results to\n    the Director for Information Systems for Command, Control,\n    Communications and Computers, and establish a followup system to resolve\n    discrepancies identified.\n\n    Management Comments. The Director of Enterprise Integration partially\n    concurred with the recommendation. The Director stated that the Army recently\n    revised AR 25-1 \xe2\x80\x9cArmy Information Management,\xe2\x80\x9d to require Army\n    organizations to designate a reviewer to clear information that is posted to the\n    World Wide Web site. The reviewer is required to conduct routine reviews of\n    Web sites on a quarterly basis to ensure compliance with DoD and Army policy.\n    At a minimum, the review will include all of the Web site management control\n    checklist items contained in Appendix B-4 of the AR 25-1 (see the Management\n    Comments section). The revisions are awaiting the approval of the Secretary of\n    the Army. Further, due to resource constraints, the Director did not concur with\n    requiring major commands to report results of the periodic reviews to the Chief\n    Information Officer. Instead, she stated that the requirement of report\n    submissions through the chain of command from organizations that have been\n    notified of specific violations on their Web sites would be supported, and the\n    requirement of ad hoc reporting to the Chief Information Officer,G-6 on the\n    violations that have been identified would be continued.\n\n    Audit Response. Although the Director nonconcurred with part of the\n    recommendation, planned actions meet the intent of the recommendation.\n\n            b. Coordinate with the Training and Doctrine Command to establish\n    a training requirement and curriculum for Army Web administrators and\n    require that Web administration personnel be trained before being assigned\n    Web duties.\n\n    Management Comments. The Director concurred with the recommendation and\n    is coordinating with the Training and Doctrine Command and the Army Signal\n    Center and School to determine the training requirement for Web site\n    administration personnel.\n\n    c. Revise policy to require the reconciliation and verification of data\n    contained on the Army Home Page with data contained in the Government\n    Information Locator Service as part of the periodic review.\n\n    Management Comments. The Director concurred with the recommendation.\n    The Army Web Risk Assessment Cell is performing a reconciliation to ensure\n\n\n                                       12\n\x0cthat every Army Web site has been properly registered in the Government\nInformation Locator Service. Once the reconciliation is complete, the Army Web\nRisk Assessment Cell will conduct spot-checks to ensure registration in the\nGovernment Information Locator Service.\n\n       d. Establish an Army Web Risk Assessment Cell.\n\nManagement Comments. The Director concurred with the recommendation.\nOn February 26, 2002, the Army established a Web Risk Assessment Cell to\nconduct routine reviews of Army Web sites for compliance with DoD and Army\npolicies, conduct random reviews of Army Web sites, notify components of\nsecurity concerns, ensure corrective action, and report corrective action results.\n\n2. We recommend that the Deputy Chief of Staff for Operations and Plans\nrequire major commands\xe2\x80\x99 operational security personnel perform\nindependent annual operational security reviews of Web sites as part of their\nOperational Security Program and annual Operational Security Report.\n\nManagement Comments. The Deputy Chief of Staff for Operations and Plans,\nnow the Deputy Chief of Staff, G-3 concurred with the recommendation. The\nDeputy Chief of Staff will direct all major commands to add an annual review of\ntheir publicly accessible Web sites for operational security and address the results\nin their annual operational security reports.\n\n3. We recommend that the Chief of Public Affairs, in coordination with the\nDirector of Information Systems for Command, Control, Communications,\nand Computers, establish an oversight mechanism to monitor whether Army\norganizations are using consistent procedures for reviewing and approving\nall information posted to Web sites.\n\nManagement Comments. The Director concurred with the recommendation.\nShe and the Public Affairs Officer will use performance measures established by\nthe Army Web Risk Assessment Cell for assessing improvements in the security\nand compliance of the Army\xe2\x80\x99s Web sites.\n\n\n\n\n                                     13\n\x0cAppendix A. Audit Process\n\nScope\n    Work Performed. We visited the Forces Command and the Training and\n    Doctrine Command. We selected the Forces Command because it included the\n    majority of Army units. We selected the Training and Doctrine Command\n    because it was responsible for information technology training. The subordinate\n    Components visited included the Reserve Command, the I Corps, Fifth Army,\n    70th Regional Support Command, 94th Regional Support Command, Cadet\n    Command, Adjutant General School, Army Chaplain School, Army Finance\n    School, the Recruiting and Retention School, and Soldier Support Institute. The\n    results of our review of 2 major commands and 11 subordinate Components do\n    not reflect a projection to all Army major commands and subordinate\n    Components. We reviewed and evaluated Army Web site policies for publicly\n    accessible Web sites. We conducted discussions with officials to evaluate\n    whether policies and practices were adequate. We reviewed records and\n    documents dated from November 1998 through December 2001.\n\n\nMethodology\n    Use of Computer-Processed Data. We relied on computer-processed data\n    without performing tests of system general and application controls to confirm the\n    reliability of the database. However, not establishing the reliability of the\n    database will not affect the results of our audit. We relied on judgmental\n    sampling procedures to develop conclusions on the audit.\n\n    Audit Dates and Standards. We performed this audit from May 2001 through\n    January 2002 in accordance with generally accepted government auditing\n    standards.\n\n    Contacts During the Audit. We visited or contacted individuals and\n    organizations within DoD. Further details are available on request.\n\n\nManagement Control Program Review\n    DoD Directive 5010.38, \xe2\x80\x9c Management Control (MC) Program,\xe2\x80\x9d August 26,\n    1996, and DoD Instruction 5010.40, \xe2\x80\x9cManagement Controls (MC) Program\n    Procedures,\xe2\x80\x9d August 28, 1996, require DoD managers to implement a\n    comprehensive system of management controls that provide reasonable assurance\n    that programs are operating as intended and to evaluate the adequacy of the\n    controls.\n\n\n\n                                        14\n\x0c    Scope of the Review of the Management Control Program. We reviewed the\n    adequacy of Army management controls over DoD and Army policies and\n    practices for Web site administration and oversight. In assessing those controls,\n    we evaluated policies and practices on how Government or other servers host\n    official Army Web sites, how the Army registers and monitors Web sites for\n    compliance with policy, and how the Army safeguards sensitive information. We\n    reviewed management\xe2\x80\x99s self-evaluation applicable to those controls.\n\n    Adequacy of Management Controls. We identified material management\n    control weaknesses for the Army as defined by DoD Instruction 5010.40.\n    Army management controls for oversight of Army Web sites were not adequate to\n    identify a complete listing of Web sites, conduct annual multi-disciplinary\n    reviews, and establish a followup system to track inappropriate information\n    posted. The recommendations, if implemented, will improve the oversight\n    process and the Web site administration process. A copy of the report will be\n    provided to the senior official responsible for management controls in the Office\n    of the Assistant Secretary of Defense (Command, Control, Communications, and\n    Intelligence).\n\n    Adequacy of Management\xe2\x80\x99s Self-Evaluation. The Director for Information\n    Systems for Command, Control, Communications, and Computers did not\n    identify oversight of Army Web sites as an assessable unit and therefore did not\n    identify or report the material management control weakness identified by the\n    audit.\n\n\nPrior Audit Coverage\n    During the last 5 years, the GAO and the Inspector General of the Department of\n    Defense both issued two reports on the issue of Internet privacy.\n\n    General Accounting Office\n    GAO Report No. GAO-01-147R \xe2\x80\x9cInternet Privacy: Federal Agency Use of\n    Cookies,\xe2\x80\x9d October 20, 2000\n\n    GAO Report No. GAO/AIMD-00-296R, \xe2\x80\x9cFederal Agencies\xe2\x80\x99 Fair Information\n    Practices,\xe2\x80\x9d September 11, 2000\n\n    Inspector General of the Department of Defense (IG DoD)\n\n    IG DoD Report No. D2001-130 \xe2\x80\x9cDoD Internet Practices and Policies,\xe2\x80\x9d\n    May 31, 2001\n\n    IG DoD Report No. D2002-062 \xe2\x80\x9cAir Force Web site Administration, Policies,\n    and Practices,\xe2\x80\x9d March 13, 2002\n\n\n\n\n                                        15\n\x0cAppendix B. Report Distribution\n\nOffice of the Secretary of Defense\nUnder Secretary of Defense (Comptroller)\n  Deputy Chief Financial Officer\n  Deputy Comptroller (Program/Budget)\nAssistant Secretary of Defense (Command, Control, Communications, and Intelligence)\n\nDepartment of the Army\nCommanding General, Forces Command, Department of the Army\nCommanding General, Training and Doctrine Command, Department of the Army\nAssistant Secretary of the Army (Financial Management and Comptroller)\nDirector of Information Systems for Command, Control, Communications, and\n   Computers, Department of the Army\nDeputy Chief of Staff for Operations and Plans, Department of the Army\nChief of Public Affairs, Department of the Army\nAuditor General, Department of the Army\n\nOther Defense Organization\nDirector, Defense Information Systems Agency\n\nNon-Defense Federal Organization\nOffice of Management and Budget\n\nCongressional Committees and Subcommittees, Chairman and\n  Ranking Minority Member\nSenate Committee on Appropriations\nSenate Subcommittee on Defense, Committee on Appropriations\nSenate Committee on Armed Services\nSenate Committee on Governmental Affairs\nHouse Committee on Appropriations\nHouse Subcommittee on Defense, Committee on Appropriations\nHouse Committee on Armed Services\nHouse Committee on Government Reform\nHouse Subcommittee on Government Efficiency, Financial Management, and\n   Intergovernmental Relations, Committee on Government Reform\nHouse Subcommittee on National Security, Veterans Affairs, and International Relations,\n  Committee on Government Reform\nHouse Subcommittee on Technology and Procurement Policy, Committee on\n  Government Reform\n\n                                          16\n\x0cDepartment of Army Comments\n\n\n\n\n                   17\n\x0c18\n\x0c19\n\x0c20\n\x0c21\n\x0c22\n\x0c23\n\x0c       Audit Team Members\nThe Acquisition Management Directorate of the Office of the Assistant Inspector General\nfor Auditing of the Department of Defense prepared this report. Personnel of the Office\nof the Inspector General of the Department of Defense who contributed to the report are\nlisted below.\n\n       Mary L. Ugone\n       Bruce A. Burton\n       Thomas S. Bartoszek\n       Lisa E. Novis\n       Thomas J. Hilliard\n       Thelma E. Jackson\n       Carrie J. Gravely\n       Mandi L. Markwart\n       Patrice A. Cousins\n       Constance E. Halahan\n       Jacqueline N. Pugh\n       Jenshel D. Marshall\n\x0c'